Getting in touch...Call the London Grid

for Learning on020 82 55 55 55

email: services@lgfl.net

Find out more atwww.lgfl.net

Unified Sign-On

• A single username and password for every relevant student and member of staff in London, granting access to all supported LGfL resources

• Compact, easy-to-remember usernames which are retained as users move between schools in an authority

• Straight-forward account management via a secure web-based management interface

• Shibboleth® services included

• Supports synchronisation with Windows Active Directory for consistent authentication at LAN and WAN levels

The range of resources accessible through the London Grid for Learning and National Education Network is continually growing, as new collections of educational content are added, and major new facilities such as the London MLE (powered by Fronter), StaffMail and LondonMail are deployed.

Many LGfL resources require password-authenticated access, whether to track the academic progress of students, store user preferences, or control and monitor service usage. Naturally, users would much rather have a single username and password which grants access to all resources instead of separate credentials for each service, and this is the aim of Unified Sign-On (USO).

Under USO, every student and member of staff in a school is issued with a personal user account. For pupil protection, usernames are based on first and last names plus local authority, but do not reveal age, gender or school information. This has the added benefit that usernames do not change when people move between establishments in the same authority. A secure web-based management facility allows accounts to be added, edited and retired.

The Unified Sign-On system is available to staff and pupils within London to support an ever-growing array of services.

To aid the adoption of USO across a whole LA, and to maintain the integrity of the data following its adoption, USO supports automated update tools and scripts that can extract information directly from a school’s MIS.

Why UnifiedSign-On?

A service for the London Grid for Learning community provided by:

Atomwide Ltd2 - 3 Ravensquay Business Centre,

Cray Avenue, Orpington, Kent. BR5 4BQTel: 01689 814700 Fax: 01689 814701

Email: sales@atomwide.com www.atomwide.com

The Unified Sign-On system supports a range of LGfL services, including:

• The LGfL Shibboleth Federation, which controls access to web sites such as the Podcast service (www.podcast.lgfl.net) and Weather Station monitoring system (www.weather.lgfl.net), as well as sets of content provided for home access (www.content.lgfl.net), the Digitalbrain portal (www.lgfl.net), and the London MLE (powered by Fronter) (www.londonmle.net).

• The Click to Meet video conferencing system (vc.lgfl.org.uk) and Sophos Anti-Virus update service (www.sophos.lgfl.net).

• VPN/Remote access services, StaffMail & LondonMail, and Pan-London online admissions.

• ADSync, enabling schools to manage LAN and WAN user accounts from a single location - the USO support web site. Via ADSync, Windows domain accounts within a school can be created in, and removed from, appropriate groups as users join and leave the school; home directories can also be created and shared for new users. This not only eases the administrative burden on schools, but also means that each user has greater consistency in the username and password which he or she uses, whether accessing resources on the school’s Local Area Network or the wider LGfL system.

Second-factor authentication using OTP (one time password) tags for services accessing sensitive data is also now available (see separate sheet).

USO accounts are currently provided for all staff and pupils in London LA schools within the standard LGfL subscription.

Further details are provided within the LGfL USO service description document available from the LGfL support site (support.lgfl.org.uk).

Unified Sign-On

• Synchronisation of an Active Directory with the LGfL’s central Unified Sign-On database over an encrypted web link

• Details of recently added, edited or removed user accounts are collected and processed, with the Active Directory updated accordingly

• User accounts are created and deleted, typically with pupils organised by year group and staff grouped separately

• A home directory is created for every user, with network sharing and setting of appropriate permissions handled automatically

• One-off setup charge per school on a new Active Directory, with no on-going fees

ADSync features:

Issue No. 3. March 2010